Security experts are questioning whether restricting high-risk vendors to nonsensitive parts of the network might be a viable security strategy - and whether one nation's choices might have security repercussions for allies.

The U.S. has been spearheading a push to ban Chinese telecommunications equipment manufacturing giants, including Huawei, from allies' 5G networks entirely, with one National Security Agency official saying it doesn't want to put a "loaded gun" in Beijing's hands.

So far, Australia, New Zealand and Japan have agreed with the U.S. position and barred Chinese telecommunications gear from at least part of their 5G network rollouts. But other U.S. allies in Europe have said in no uncertain terms that they will make up their own minds.

Britain Moves Toward Partial Ban

On Tuesday, news leaked that the U.K.'s National Security Council voted to allow Huawei to supply equipment for some "noncore" parts of the U.K.'s 5G network, such as antennas, although the government wasn't yet prepared to publicly make that declaration. The NSC's meetings are secret, and officials in the conservative government led by Prime Minister Theresa May said they had launched an investigation into the identity of the leaker.

A British government representative tells Information Security Media Group that NSC meetings are confidential and that any final decision would first be announced to parliament, as was proper. "Decisions from those meetings are made and announced at the appropriate time through the established processes," the spokesperson says.

"As part of our plans to provide world-class digital connectivity, including 5G, we have conducted an evidence-based review of the supply chain to ensure a diverse and secure supply base, now and into the future," he says. "This is a thorough review into a complex area and will report with its conclusions in due course."

Netherlands Follows British Lead

On Friday, in line with the apparent British position, Dutch telecommunications giant KPN said it would select a "Western vendor" to provide equipment for the core of its 5G network. That left open the possibility that Chinese firms might be allowed to supply noncore infrastructure.

Taking into account "the evolving assessment on the protection of vital infrastructure and the influence this may have on future Dutch policy," KPN said that it "plans to select a Western vendor for the construction of the new mobile core network for 5G."

"We are not blind to the political discussion about the security of our networks and we do see various potential suppliers for the 5G network in the Europe and U.S.," KPN's CFO, Jan Kees de Jager, said at a press conference, the Guardian reported.

Under the Microscope: Huawei

British intelligence agency GCHQ has been studying Huawei equipment since 2010 via its Huawei Cyber Security Evaluation Center, which is run by GCHQ's National Cyber Security Center. A team of highly vetted NCSC international analysts has been reviewing Huawei's business strategies and testing all product ranges before they potentially get used in any setting that might have national security repercussions (see: Huawei Security Shortcomings Cited by British Intelligence).

"GCHQ and the NCSC's role has been to offer expert, objective, technologically literate input into the security considerations around 5G," said Jeremy Fleming, director of GCHQ, in a rare public appearance, delivering the opening keynote speech at last week's CyberUK conference in Glasgow, Scotland (see: Intelligence Agencies Seek Fast Cyber Threat Dissemination).

"When we analyze a company for their suitability to supply equipment to the U.K.'s telecom networks, we are looking at the risks that arise from their security and engineering processes, as well as the way these technologies are deployed in our national telecom networks," he said in his Wednesday speech. "The flag of origin of 5G equipment is important, but it is a secondary factor."

David Lidington, minister for the cabinet office in the conservative British government led by Prime Minister Theresa May, speaking at CyberUK on Thursday, made a similar point.

British Minister for the Cabinet Office David Lidington delivers a speech at CyberUK. (Photo: Mathew Schwartz)

"The government's approach is not about one company or even one country. It's about ensuring stronger cybersecurity across telecoms, greater resilience in telecoms networks, and more diversity in the supply chain," said Lidington, who effectively serves as Prime Minister May's deputy. "We shall want to work with international partners to develop a common, global approach to improving telecoms' security standards."

Whatever decisions the British government makes could be subject to change. The Guardian reports that while the decision to allow Huawei to supply noncore infrastructure may have been agreed to by the NSC, it could be overturned by a new prime minister if the country sees a change in leadership.

Critical Infrastructure Protection

In a panel discussion at the CyberUK conference, hosted by NCSC, representatives from the Five Eyes intelligence alliance that includes Australia, Canada, New Zealand, the U.K. and U.S. all stressed that questions over Huawei remain at the top of their agenda.

"One of the common aspects of this panel is, we all have connections to our intelligence agencies, and the one thing we're all united on is ... there are nations that do plan to come at our national infrastructure and pose a threat," said Rob Joyce, the senior cybersecurity strategy adviser to the director of the NSA. "All of us are pretty certain that we're not going to use those technologies in our most sensitive networks."

Of course that raises this question: "What is a sensitive network?" The U.S. government remains keen to get this question right and so avoid potentially giving Beijing a "loaded gun," Joyce said.

First Assistant Director-General for Protect, Assure and Enable Scott McLeod of the Australian Signals Directorate speaks at CyberUK 2019.

Such questions also informed Australia's approach. "The sovereignty of our country is very important to us," said Scott McLeod, first assistant director-general for protect, assure and enable at the Australian Signals Directorate, during the panel discussion, noting that this formed the basis for the official guidance given by ASD to government officials.

Risk-Reduction Strategy: 'Not Proven'

Panelists said the Huawei question remained part of wider discussions.

"For us this is really about how you address this systemic risk," said Scott Jones, head of the Canadian Center for Cyber Security, during the panel discussion, noting that the promise of 5G also brings new potential perils, given the speed and connectivity levels.

Some security analysts say that just as 5G standards and implementation strategies continue to unfold, so too do risk-reduction strategies. In short, none have yet been truly field-tested.

"The question is whether a partial ban on Huawei to keep it out of sensitive areas and the telecom core will work to reduce risk," says James A. Lewis, a senior vice president at the Center for Strategic and International Studies in Washington.

"The only answer is 'not proven'," he said. "Both core and edge functions will become more important as 5G enables many more things than your phone - self-driving cars, telemedicine, smart cities and the like - and letting Huawei in, even at the edge, could provide China with opportunities for mischief."

China Seeks 'Level Playing Field'

In the face of continuing opposition to using Chinese-built telecommunications equipment in some countries' 5G networks, Beijing has continued to mount its own offensive.

China's ambassador to Britain, Liu Xiaoming, writing in the Telegraph on Sunday, urged Britain to "make decisions independently and in accordance with their national interests."

He said that "the last thing the world needs is the introduction of any sort of discriminatory measures towards companies involved in 5G network development," while "the last thing China expects from a truly open and fair 'global Britain' is a playing field that is not level."

Discussions to Continue in Prague

The question of 5G networks and which suppliers can be trusted for which purposes is on the agenda at a Prague conference being held this week.

More than 30 countries are expected to attend the May 2-3 conference, organized by the Czech foreign ministry and cybersecurity agency NUKIB, to discuss how best to secure next-generation telecommunications networks.

"It's a hugely complex strategic challenge which is going to span the next few decades," GCHQ's Fleming said in his CyberUK speech. "How we deal with it will be crucial for prosperity and our security. And it's yet another demonstration of how significant cybersecurity is becoming to a nation's cyber power."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.